Replacing Windows Explorer shell with NAL (for XP and Win 9.x)

Update: After this article was originally published, I received a number of emails asking if it can be done in Windows 9X. See the Win 9.x section for the instructions.

In a school lab environment we don't want the students "playing" with the "features" of Windows. We want a way to lock them out of everything except the handful of applications that apply to their work/assignments.

Windows XP

Create application objects for the apps you want users to run, and associate the app objects by workstation group. Make sure you've got your application launcher config set to "Read groups for applications (Workstation)" to "YES". You can accomplish the same thing with user groups, but in our environment, applications are lab-specific so workstation groups make sense for us.

Create 2 .REG files. The key that will be changed is [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] One will replace the explorer.exe key in the registry with NAL. The other will replace NAL with Windows Explorer. This will ensure that an administrator can re-enable Explorer as the shell with minimal headaches. You may also want to create an app object for explorer.exe and associate it with your administative logins so you can launch it via NAL.

The result is a workstation with NAL as its shell. Students will find it harder to hack into the registry, mess with screen savers, play solitare, etc.

We use this along with Dynamic Local Users and ZFD4 imaging to manage our computer labs, and it all works great.

Create application objects for the apps you want users to run, and associate the app objects by workstation group. Make sure you've got your application launcher config set to "Read groups for applications (Workstation)" to "YES". You can accomplish the same thing with user groups, but in our environment, applications are lab-specific so workstation groups make sense for us.

Modify the c:\windows\system.ini file. Replace the Shell=explorer.exe line with SHELL=c:\progra~1\novell\zenworks\nalwin32.exe

The result is a workstation with NAL as its shell. Students will find it harder to hack into the registry, mess with screen savers, play solitaire, etc.

Other Ideas

JD wrote: Thanks Matt. In addition to the steps you are suggesting, we edit the registry to disable Task Manager when a student hits CTRL\ALT\DELETE. That way, they can't run a new task and run explorer.exe.